Grails single sign on

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Grails single sign on

This post has NOT been accepted by the mailing list yet.

We're trying to implement a SSO(web application will get the users' credentials from the windows authentication so that the user will not be prompt to enter their credentials anymore.) to our grails(1.3.6) web application with Acegi 0.5.2 plugin.

I was able to successfully connect the web application to our LDAP and Kerberos via the configuration below. I can now login(i will remove this login page in the future) to the application using my windows credentials. The problem is, when I try to use another PC(different user login to windows) I can still login to our web application (using my pc credentials). So, looks like I only implemented LDAP/Active Directory authentication and not SSO. I'm confused now, because I can clearly see that the kerberos authentication is working fine.

How does acegi and kerberos works? My understanding is, my web application queries the kerberos kdc and if the user's credential I've entered is logged in windows then the user will be authenticated but clearly, that is not the case because I've tried to log off a user from their pc and use the logged off user credential to login to my web application and it is still authenticated.

I've searched the net and it point me to SPNEGO, how I can implement this to my grails application? Should I turn off the kerberos in acegi if I'm going to use SPNEGO?

Acegi config:
ldapServer = 'ldap://aCompany.local:389'
ldapManagerDn = 'CN=Test,CN=Users,DC=aCompany,DC=local'
ldapManagerPassword = 'T3st'
ldapSearchBase = 'DC=aCompany,DC=local'
ldapSearchSubtree = 'true'
ldapSearchFilter = '(sAMAccountName={0})'
ldapGroupSearchBase = 'OU=User Accounts,OU=Test Group'
ldapGroupSearchFilter = 'member={0}'
ldapUsePassword = false

 // Kerberos
useKerberos = true
kerberosLoginConfigFile = 'WEB-INF/jaas.conf'
kerberosRealm = 'ACOMPANY.REALM'
kerberosKdc = ''
kerberosRetrieveDatabaseRoles = true

Any advise or suggestion would help. Thank You